Subversion is definitely one of the best revision control systems out there.

You can run a Subversion server several ways:

1. plain svnserve, optionally via (x)inetd
2. via Apache using WebDAV
3. tunneled via SSH

This Howto describes only the last method mentioned, as the first one is simply insecure and the second one too bloaty.

This setup makes use of a single user account for all subversion users. So create one:

useradd -b /var/svn -c "dedicated SVN+SSH account" -n svn

the newly created user won't get his own home, but his basedir is /var/svn which is the base directory of all subversion repositories.

I don't trust in users setting up their own accepted_keys files, so I configured OpenSSH to use a dedicated directory for all accepted_keys files which is only writable by root:

AuthorizedKeysFile      /etc/ssh/authorized_keys_files/%u

the following instructions assume this setup.

Next, edit /etc/ssh/authorized_keys_files/svn and add lines of the following syntax:

command="/usr/local/bin/svnserve -t --tunnel-user=<USER>",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty TYPE KEY COMMENT

replace <USER> with the name of the user owning the KEY. TYPE, KEY and COMMENT are the same as the fields found in regular authorized_keys files.

The big problem when using svnserve via SSH is setting the umask correctly. Therefore create a wrapper at the path referenced in svn's authorized_keys file:

#!/bin/sh
umask 002
. /etc/conf.d/svnserve
/usr/bin/svnserve $SVNSERVE_OPTS "$@"

parsing /etc/conf.d/svnserve is just for getting the content of SVNSERVE_OPTS. On my system the file looks like:

SVNSERVE_OPTS="--root=/var/svn"

which prevents users from having to use the full path of the filesystem to access the repositories.

All repositories have to be:

• kept within /var/svn
• owned by the group svn
• group-writable

So far there is nothing more to do than checking out the desired repository, specifying svn as username:

svn co svn+ssh://svn@<hostname>/<repo>